My server is under attack (I think)
Mike Tancsa
mike at sentex.net
Fri Aug 19 15:20:54 UTC 2011
On 8/19/2011 11:01 AM, Mark Moellering wrote:
> I keep seeing a flood of messages when I run dmesg -a that look like this:
>
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify
> hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed
>
> Is there anything I should be doing to make sure the server isn't
First, look at line 2 of /etc/hosts.allow. Its probably an issue of the
scanning IP having a PTR record mismatch. ie. some IP has a PTR record
of ip223.hichina.com, but no corresponding A record. When the
attacker/scanner hits port 22 of your box, tcpwrappers (as set in
/etc/hosts.allow) tries to confirm the PTR record matches the A record,
but there is a mismatch, and hence the log message. Take a look at
/var/log/auth.log for more info.
Its generally a good idea to block all network access as a first rule,
and then add specific rules to let people in to just what is needed. So
if you only manage the box via ssh from a range of hosts, block all
access to ssh and allow it just from those trusted locations.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list